tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

samba: Refactored samba module to use templates.

Browse source
This commit is contained in:
Timo Mkinen 2013-06-14 12:25:45 +03:00
parent 734fbfdace
commit 5309521c18
6 changed files with 430 additions and 123 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
samba/files/sync-netlogon.sh → samba/files/sync-netlogon
View file

@ -13,7 +13,7 @@ WINSSERVER=`echo '' | testparm -v --section-name global 2> /dev/null | \
if [ "${WINSSERVER}" = "" ]; then if [ "${WINSSERVER}" = "" ]; then
NMBLOOKUP="nmblookup" NMBLOOKUP="nmblookup"
else else
NMBLOOKUP="nmblookup -r ${WINSSERVER}" NMBLOOKUP="nmblookup -R -U ${WINSSERVER}"
fi fi
PDC=`${NMBLOOKUP} "${WORKGROUP}#1B" | \ PDC=`${NMBLOOKUP} "${WORKGROUP}#1B" | \
sed -n "s/^\([0-9\.]*\) ${WORKGROUP}<1b>/\1/p" | head -1` sed -n "s/^\([0-9\.]*\) ${WORKGROUP}<1b>/\1/p" | head -1`
@ -62,6 +62,10 @@ if [ $? -ne 0 ]; then
echo "Error in netlogon sync, rsync failed" echo "Error in netlogon sync, rsync failed"
exit 1 exit 1
fi fi
chcon -Rh -u system_u -t samba_share_t ${TARGETDIR}/ which restorecon > /dev/null 2>&1
if [ $# -eq 0 ]; then
restorecon -r ${TARGETDIR}
fi
rm -rf ${TMPDIR} rm -rf ${TMPDIR}

462
samba/manifests/init.pp
View file

@ -1,169 +1,389 @@
# Install samba server.
# Install Samba client tools
# #
class samba::server { class samba::client {
package { "samba-client":
ensure => installed,
}
}
# Add included samba configuration files
#
# This class is used internally by samba to override various configs.
#
class samba::server::configs {
file { "/etc/samba/smb.conf.d/print.conf":
ensure => present,
content => "load printers = no\nprintcap name = /dev/null\n",
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => File["/etc/samba/smb.conf.d"],
notify => Service["smb"],
}
file { "/etc/samba/smb.conf.d/domain.conf":
ensure => present,
content => "os level = 20\n",
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => File["/etc/samba/smb.conf.d"],
notify => Service["smb"],
}
file { "/etc/samba/smb.conf.d/wins.conf":
ensure => present,
content => $samba_wins ? {
"" => "name resolve order = lmhosts host bcast\n",
default => "name resolve order = lmhosts host wins bcast\nwins server=${samba_wins}\n",
},
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => File["/etc/samba/smb.conf.d"],
notify => Service["smb"],
}
}
# Install Samba server
#
# === Parameters
#
# $auth:
# Server authentication type. Valid values are tdbsam, ldap and
# domain. Default is tdbsam.
# $description:
# Server description. Defaults to "Samba Server Version %v".
# $interfaces:
# Array of intefaces samba should listen to. See "interfaces" option
# from smb.conf manual page for syntax. Localhost interface is
# added automatically. Defaults to all active interfaces.
# $names:
# Array of NetBIOS names that host will be advertised. Defaults to
# [$::hostname].
# $workgroup:
# Workgroup or domain name.
#
# === Global variables
#
# $samba_wins:
# WINS server address
#
# $ldap_server:
# LDAP server URI's to use. Only used when $auth is set to ldap.
# $ldap_basedn:
# LDAP basedn. Only used when $auth is set to ldap.
#
# $samba_join_user:
# Username to use when joining to domain. Only used when $auth is
# set to domain.
# $samba_join_pass:
# Password to use when joining to domain. Only used when $auth is
# set to domain.
#
class samba::server($names=[$::hostname], $auth="tdbsam",
$workgroup="WORKGROUP",
$description="Samba Server Version %v",
$interfaces=undef) {
include samba::server::configs
package { "samba": package { "samba":
ensure => installed, ensure => installed,
} }
case $::operatingsystem {
"openbsd": {
service { "nmbd":
ensure => running,
enable => true,
binary => "/usr/local/libexec/nmbd",
start => "/usr/local/libexec/nmbd -D",
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
service { "smbd":
ensure => running,
enable => true,
binary => "/usr/local/libexec/smbd",
start => "/usr/local/libexec/smbd -D",
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
}
"centos","redhat": {
case $::operatingsystemrelease {
/^[1-5]\./: {
service { "smb":
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
}
default: {
service { [ "smb", "nmb" ]:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
}
}
}
"fedora": {
service { [ "smb", "nmb" ]:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
}
"ubuntu": {
service { [ "smbd", "nmbd" ]:
ensure => running,
enable => true,
hasstatus => true,
hasrestart => true,
require => File["/etc/samba/smb.conf"],
subscribe => File["/etc/samba/smb.conf"],
}
}
default: {
fail("samba::server not supported in '${::operatingsystem}'")
}
}
file { "/etc/samba/smb.conf": file { "/etc/samba/smb.conf":
ensure => present, ensure => present,
source => [ "puppet:///files/samba/smb.conf.${fqdn}", content => template("samba/smb.conf.erb"),
"puppet:///files/samba/smb.conf", ],
mode => "0644", mode => "0644",
owner => "root", owner => "root",
group => $::operatingsystem ? { group => $::operatingsystem ? {
openbsd => "wheel", "openbsd" => "wheel",
default => "root", default => "root",
}, },
require => Package["samba"], require => Package["samba"],
notify => Service["smb"],
}
file { "/etc/samba/smb.conf.d":
ensure => directory,
mode => "0755",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
purge => true,
require => Package["samba"],
}
exec { "generate-samba-shares-conf":
command => "find /etc/samba/smb.conf.d/share-*.conf -exec echo 'include = {}' \; > /etc/samba/smb.conf.d/shares.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
notify => Service["smb"],
}
file { "/etc/samba/smb.conf.d/shares.conf":
ensure => present,
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
} }
file { "/etc/samba/lmhosts": file { "/etc/samba/lmhosts":
ensure => present, ensure => present,
source => [ "puppet:///files/samba/lmhosts.${fqdn}", source => [ "puppet:///files/samba/lmhosts.${fqdn}",
"puppet:///files/samba/lmhosts", "puppet:///files/samba/lmhosts",
"puppet:///modules/samba/lmhosts", ], "puppet:///modules/samba/lmhosts", ],
mode => "0644", mode => "0644",
owner => "root", owner => "root",
group => $::operatingsystem ? { group => $::operatingsystem ? {
openbsd => "wheel", "openbsd" => "wheel",
default => "root", default => "root",
}, },
require => Package["samba"], require => Package["samba"],
} }
case $auth {
"ldap": {
exec { "smbpasswd -w":
command => "smbpasswd -w \"\${SECRET}\"",
environment => "SECRET=${samba_ldap_pass}",
path => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin",
unless => "fgrep SECRETS/LDAP_BIND_PW /var/lib/samba/private/secrets.tdb",
require => File["/etc/samba/smb.conf"],
notify => Service["smb"],
}
}
"domain": {
exec { "net join":
command => "net join -U ${samba_join_user}%\"\${SECRET}\"",
environment => "SECRET=${samba_join_pass}",
path => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin",
unless => "net rpc testjoin -U ${samba_join_user}%\"\${SECRET}\"",
require => Service["smb"],
}
}
}
service { "smb":
name => $::operatingsystem ? {
"openbsd" => "smbd",
"ubuntu" => "smbd",
default => "smb",
},
ensure => running,
enable => true,
}
service { "nmb":
name => $::operatingsystem ? {
"openbsd" => "nmbd",
"ubuntu" => "nmbd",
default => "nmb",
},
ensure => running,
enable => true,
subscribe => Service["smb"],
}
} }
# Install support scripts for Backup Domain Controller # Add WINS server role to Samba server
# #
class samba::bdc { class samba::server::wins inherits samba::server::configs {
include samba::server File["/etc/samba/smb.conf.d/wins.conf"] {
content => "name resolve order = lmhosts host wins bcast\nwins support = true\ndns proxy = true\n",
}
file { "/etc/cron.hourly/sync-netlogon.sh": }
# Add Primary Domain Controller role to Samba server
#
class samba::server::pdc inherits samba::server::configs {
file { "/srv/netlogon":
ensure => directory,
mode => "0755",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
seltype => "samba_share_t",
before => Service["smb"],
}
selinux::manage_fcontext { "/srv/netlogon(/.*)?":
type => "samba_share_t",
before => File["/srv/netlogon"],
}
samba::server::share { "netlogon":
path => "/srv/netlogon",
comment => "Network Logon Service",
readonly => true,
options => [ "locking = no", "guest ok = yes", ],
}
File["/etc/samba/smb.conf.d/domain.conf"] {
content => template("samba/domain.conf-pdc.erb"),
}
}
# Add Backup Domain Controller role to Samba server
#
class samba::server::bdc inherits samba::server::pdc {
require samba::client
file { "/usr/local/sbin/sync-netlogon":
ensure => present, ensure => present,
source => "puppet:///modules/samba/sync-netlogon.sh", source => "puppet:///modules/samba/sync-netlogon",
mode => "0755", mode => "0755",
owner => "root", owner => "root",
group => "root", group => "root",
} }
cron { "sync-netlogon":
command => "/usr/local/sbin/sync-netlogon",
minute => "52",
user => "root",
require => File["/usr/local/sbin/sync-netlogon"],
}
} File["/etc/samba/smb.conf.d/domain.conf"] {
content => template("samba/domain.conf-bdc.erb"),
# Join samba server into domain.
#
# === Global variables
#
# $samba_join_user:
# Username to use when joining domain.
#
# $samba_join_pass:
# Password to use when joining domain.
#
class samba::domainmember {
include samba::server
exec { "net join":
command => "net join -U ${samba_join_user}%\"\${SECRET}\"",
environment => "SECRET=${samba_join_pass}",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => "net rpc testjoin -U ${samba_join_user}%\"\${SECRET}\"",
require => Service["smb"],
} }
} }
# Set LDAP auth password to samba. # Add Home directory server role to Samba server
# #
# === Global variables class samba::server::homes {
#
# $samba_ldap_pass:
# Password to set in samba secrets.
#
class samba::ldap {
include samba::server if !defined(Selinux::Boolean["samba_enable_home_dirs"]) {
selinux::boolean { "samba_enable_home_dirs":
value => "on",
before => Service["smb"],
}
}
exec { "smbpasswd -w": samba::server::share { "homes":
command => "smbpasswd -w \"\${SECRET}\"", path => "%H",
environment => "SECRET=${samba_ldap_pass}", comment => "Home Directories",
path => "/bin:/usr/bin:/sbin:/usr/sbin", options => [ "veto files = /.windows/", "browseable = no", ],
unless => "tdbtool /etc/samba/secrets.tdb keys | fgrep 'SECRETS/LDAP_BIND_PW/'",
require => File["/etc/samba/smb.conf"],
notify => Service["smb"],
} }
} }
# Add Profile server role to Samba server
#
class samba::server::profiles {
if !defined(Selinux::Boolean["samba_enable_home_dirs"]) {
selinux::boolean { "samba_enable_home_dirs":
value => "on",
before => Service["smb"],
}
}
selinux::boolean { "samba_create_home_dirs":
value => on,
before => Service["smb"],
}
file { "/srv/profiles":
ensure => directory,
mode => "0755",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
seltype => "samba_share_t",
before => Service["smb"],
}
selinux::manage_fcontext { "/srv/profiles(/.*)?":
type => "samba_share_t",
before => File["/srv/profiles"],
}
samba::server::share { "profiles":
path => "/srv/profiles",
comment => "Roaming Profiles",
options => [
"wide links = yes",
"profile acls = yes",
"root preexec = sh -c 'umask 022 ; ( [ -h /srv/profiles/%U ] || ln -s %H/.windows/profile /srv/profiles/%U ) ; ( [ -h /srv/profiles/%U.V2 ] || ln -s %H/.windows/vista /srv/profiles/%U.V2 )'",
"preexec = sh -c 'umask 077; mkdir -p %H/.windows/profile %H/.windows/vista'",
],
}
}
# Add new share to Samba server
#
# === Parameters
#
# $name:
# Share name
# $path:
# Directory to share
# $comment:
# Share description. Defaults to $name.
# $readonly:
# Set to true to make share read only.
# $options:
# Array of extra options to add for share.
#
# === Sample usage
#
# samba::server::share { "r-sysadm":
# comment => "Role: sysadm",
# path => "/roles/sysadm",
# options => [ "hide files = /desktop.ini/Desktop.ini/" ],
# }
#
define samba::server::share($path, $comment=undef, $readonly=undef,
$options=[]) {
file { "/etc/samba/smb.conf.d/share-${name}.conf":
ensure => present,
content => template("samba/share.conf.erb"),
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => File["/etc/samba/smb.conf.d"],
notify => Exec["generate-samba-shares-conf"]
}
}

11
samba/templates/domain.conf-bdc.erb Normal file
View file

@ -0,0 +1,11 @@
os level = 130
domain master = no
domain logons = yes
time server = yes
logon script = logon.bat
logon drive = p:
logon path = \\%L\profiles\%U
logon home = \\%L\%U

12
samba/templates/domain.conf-pdc.erb Normal file
View file

@ -0,0 +1,12 @@
os level = 140
domain master = yes
preferred master = yes
domain logons = yes
time server = yes
logon script = logon.bat
logon drive = p:
logon path = \\%L\profiles\%U
logon home = \\%L\%U

13
samba/templates/share.conf.erb Normal file
View file

@ -0,0 +1,13 @@
[<%= @name %>]
comment = <% if @comment %><%= @comment %><% else %><%= @name %><% end %>
path = <%= @path %>
inherit permissions = yes
invalid users = root
<% if @readonly -%>
read only = yes
<% else -%>
read only = no
<% end -%>
<% @options.each do |option| -%>
<%= option %>
<% end -%>

47
samba/templates/smb.conf.erb Normal file
View file

@ -0,0 +1,47 @@
[global]
# host naming
workgroup = <%= @workgroup %>
server string = <%= @description %>
netbios name = <%= @names[0] %>
<% if @names.length > 1 -%>
netbios aliases = <%= @names.drop(1).join(' ') %>
<% end -%>
<% if @interfaces -%>
interfaces = lo <%= @interfaces.join(' ') %>
bind interfaces only = true
<% end -%>
# authentication
<% if @auth == 'tdbsam' -%>
security = user
passdb backend = tdbsam
<% elsif @auth == 'ldap' -%>
security = user
passdb backend = ldapsam:"<%= @ldap_server.join(' ') -%>"
ldap passwd sync = Only
ldap admin dn = "uid=smbadmin,ou=System,<%= @ldap_basedn %>
ldap ssl = no
ldap suffix = <%= @ldap_basedn %>
<% elsif @auth == 'domain' -%>
security = domain
password server = *
<% else -%>
<% scope.function_fail(['Invalid value "%s" for auth.' % @auth]) -%>
<% end -%>
# log per machine and rotate after 128MB
log file = /var/log/samba/%m.log
max log size = 131072
unix charset = iso-8859-1
unix extensions = no
wide links = no
include = /etc/samba/smb.conf.d/domain.conf
include = /etc/samba/smb.conf.d/print.conf
include = /etc/samba/smb.conf.d/wins.conf
include = /etc/samba/smb.conf.d/shares.conf